How to Use Azure AD for credential verification

How to Use Azure AD for credential verification

tutorials

Overview

It is possible to expose Azure AD as a secure LDAP after Azure AD Domain Services has been enabled. This article will not cover how to configure Azure AD but will address how to configure the Curity Identity Server to leverage the secure LDAP (LDAPS) interface of Azure AD as a Data Source and with that used as a Credential Manager for credential verification.

Prerequisites

Configure Curity

Curity can be configured to use LDAP as a Data Source out-of-the-box. With some specific configurations we can allow Curity to connect to a secure LDAP and then use that Data Source in a Credential Manager that will verify a users credentials in the authentication process.

Server Trust Store

Curity needs the Azure AD certificate in order to communicate with Azure AD and the secure LDAP interface.

If the certificate is not available it can be obtain directly in the Curity Admin UI. Go to Facilities in the top right corner then add a new Server Trust Store. Select the host option and enter the Azure AD secure LDAP host and port, Ex. aaddscontoso.com:636, click Next, give it a name and then click Ok.

Obtain certificate using opensslAlternatively the certificate can be obtained using openssl. Execute the following from a command prompt:

1
2
3
openssl s_client -connect aaddscontoso.com:636 \
  -showcerts </dev/null 2>/dev/null | openssl x509 \
  -outform PEM > azure_ad_ldap_server.pem

The downloaded certificate can be added using the File option, browse to azure_ad_ldap_server.pem, no password should be needed.

The certificate can also be added using the Text option and is simply a copy and paste of the certificate itself. This is described in the Curity Admin UI.

Data Source

The bulk of the configuration on the Curity Identity Server side in using Azure AD for authentication lies in configuring an LDAP Data Source. It is not a complicated configuration but naturally all things need to align with how Azure AD, Azure AD Domain Services and secure LDAP is configured.

In the Curity Admin UI, go to Facilities, Click New to add a new Data Source. Give it a name, Azure_AD for example. The below table shows an example configuration for the LDAP Data Source.

ParameterValue
Typeldap
Hostnameaaddscontoso.com
Port636
Client IDCN=John Doe,OU=AADDC Users,DC=aaddscontoso,DC=com
Client SecretPa$$w0rd1!
Default RootOU=AADDC Users,DC=aaddscontoso,DC=com
Search scopesub
Ldapsenabled
Disable Hostname Verificationdisabled
Use Truststoreenabled
Ldap Server Typeactive-directory

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<config xmlns="http://tail-f.com/ns/config/1.0">
  <facilities xmlns="https://curity.se/ns/conf/base">
  <data-sources>
  <data-source>
    <id>Azure_AD</id>
    <ldap xmlns="https://curity.se/ns/conf/data-access/ldap">
      <hostname>aaddscontoso.com</hostname>
      <port>636</port>
      <ldaps>true</ldaps>
      <tls>
        <use-truststore>true</use-truststore>
      </tls>
      <client-id>CN=John Doe,OU=AADDC Users,DC=aaddscontoso,DC=com</client-id>
      <client-secret>Pa$$w0rd1!</client-secret>
      <default-root>OU=AADDC Users,DC=aaddscontoso,DC=com</default-root>
    </ldap>
  </data-source>
  </data-sources>
  </facilities>
</config>

Make sure to use the correct host for your environment and that the port used (636 is default) is accessible from the Curity Identity Server.

The Client ID and Secret is needed if anonymous bind is not allowed. Note the format of the Client ID and make sure the user has permissions to bind to the secure LDAP.

Default Root is the base of the LDAP tree where Curity will start its lookup when performing verification of the credentials.

Enable Ldaps

The rest of the configurations can be left as default. Additional configurations could obviously be made as needed but are not covered by this tutorial.

Credential Manager

With a Data Source created we can now create a Credentials Manager for Azure AD. Go to Facilities and then add a new Credential Manager.

Give it a name, Azure_CM for example. Set the Algorithm Type to plaintext and the Data Source to the newly created Data Source.

Conclusion

With the Trust Store configured, Data Source and the Credential Manager created we can now leverage Azure AD and its secure LDAP interface to check the credentials of a user in the authentication process.

As an example, an HTML Form Authenticator could be used for authentication where it is configured to use the Credential Manager that is configured to use Azure AD as the Data Source.

Resources

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Was this page helpful?